Skip to content

Commit

Permalink
[shared storage] Support cross-origin worklet
Browse files Browse the repository at this point in the history
For the sharedStorage.createWorklet() API, relax the same-origin
restriction to allow cross-origin script, in which case a
cross-origin worklet will be created.

How:
- Rely on CORS for the worklet to be loaded/used by the embedder.
- Leverage the existing process allocation and management logic from
service workers and directly re-use SiteInstanceImpl::CreateForServiceWorker(). To keep this CL focused,
renaming will occur in a separate CL, as it will involve renaming
other downstream components like
'UnmatchedServiceWorkerProcessTracker'.

Explainer: WICG/shared-storage#130
Spec: WICG/shared-storage#131
Design doc:
https://docs.google.com/document/d/1QTaaroCMeFVZVghI6JkUcDvmDQEacjvpyTfk6mpvQhA/edit?usp=sharing

Bug: 325302836
Change-Id: I11c1fc87bc76f4400c54d9fa809349d1d1781247
  • Loading branch information
yaoxiachromium authored and chromium-wpt-export-bot committed Feb 15, 2024
1 parent 616d362 commit 01f734f
Showing 6 changed files with 166 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<script src="/shared-storage/resources/util.js"></script>
<script src="/fenced-frame/resources/utils.js"></script>

<body>
<script>
'use strict';

promise_test(async () => {
const ancestor_key = token();
document.cookie = "key0=value0";
const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
const helper_url = crossOrigin +
`/shared-storage/resources/credentials-test-helper.py` +
`?access_control_allow_origin_header=${window.origin}` +
`&access_control_allow_credentials_header=true` +
`&token=${ancestor_key}`;

const worklet = await sharedStorage.createWorklet(
helper_url + `&action=store-cookie`,
{ credentials: "include" });

const request_cookie_fetch_response =
await fetch(helper_url + `&action=get-cookie`);

const request_cookie_text = await request_cookie_fetch_response.text();

assert_equals(request_cookie_text, "NO_COOKIE_HEADER");
}, 'createWorklet() with cross-origin module script and credentials "include"');

</script>
</body>
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<script src="/shared-storage/resources/util.js"></script>
<script src="/fenced-frame/resources/utils.js"></script>

<body>
<script>
'use strict';

promise_test(async () => {
const ancestor_key = token();
document.cookie = "key0=value0";
const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
const helper_url = crossOrigin +
`/shared-storage/resources/credentials-test-helper.py` +
`?access_control_allow_origin_header=${window.origin}` +
`&token=${ancestor_key}`;

const worklet = await sharedStorage.createWorklet(
helper_url + `&action=store-cookie`,
{ credentials: "omit" });

const request_cookie_fetch_response =
await fetch(helper_url + `&action=get-cookie`);

const request_cookie_text = await request_cookie_fetch_response.text();

assert_equals(request_cookie_text, "NO_COOKIE_HEADER");
}, 'createWorklet() with cross-origin module script and credentials "omit"');

</script>
</body>
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<script src="/shared-storage/resources/util.js"></script>
<script src="/fenced-frame/resources/utils.js"></script>

<body>
<script>
'use strict';

promise_test(async () => {
const ancestor_key = token();
document.cookie = "key0=value0";
const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
const helper_url = crossOrigin +
`/shared-storage/resources/credentials-test-helper.py` +
`?access_control_allow_origin_header=${window.origin}` +
`&token=${ancestor_key}`;

const worklet = await sharedStorage.createWorklet(
helper_url + `&action=store-cookie`,
{ credentials: "same-origin" });

const request_cookie_fetch_response =
await fetch(helper_url + `&action=get-cookie`);

const request_cookie_text = await request_cookie_fetch_response.text();

assert_equals(request_cookie_text, "NO_COOKIE_HEADER");
}, 'createWorklet() with cross-origin module script and credentials "same-origin"');

</script>
</body>
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<script src="/shared-storage/resources/util.js"></script>
<script src="/fenced-frame/resources/utils.js"></script>

<body>
<script>
'use strict';

promise_test(async t => {
const ancestor_key = token();
const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
const helper_url = crossOrigin +
`/shared-storage/resources/credentials-test-helper.py` +
`?access_control_allow_origin_header=${window.origin}` +
`&token=${ancestor_key}`;

return promise_rejects_dom(t, "OperationError",
sharedStorage.createWorklet(
helper_url + `&action=store-cookie`,
{ credentials: "include" }));
}, 'createWorklet() with cross-origin module script and credentials ' +
'"include", and without the Access-Control-Allow-Credentials response ' +
'header');

</script>
</body>
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
<script src="/shared-storage/resources/util.js"></script>
<script src="/fenced-frame/resources/utils.js"></script>

<body>
<script>
'use strict';

promise_test(async t => {
const ancestor_key = token();
const crossOrigin = 'https://{{domains[www]}}:{{ports[https][0]}}';
const helper_url = crossOrigin +
`/shared-storage/resources/credentials-test-helper.py` +
`&access_control_allow_credentials_header=true` +
`&token=${ancestor_key}`;

return promise_rejects_dom(t, "OperationError",
sharedStorage.createWorklet(
helper_url + `&action=store-cookie`,
{ credentials: "include" }));
}, 'createWorklet() with cross-origin module script and credentials ' +
'"include", and without the Access-Control-Allow-Origin response header');

</script>
</body>
6 changes: 6 additions & 0 deletions shared-storage/resources/credentials-test-helper.py
Original file line number Diff line number Diff line change
@@ -13,6 +13,12 @@ def main(request, response):
response.status = 200
response.headers.append(b"Content-Type", b"text/javascript")

if b"access_control_allow_credentials_header" in request.GET:
response.headers.append(b"Access-Control-Allow-Credentials", request.GET[b"access_control_allow_credentials_header"])

if b"access_control_allow_origin_header" in request.GET:
response.headers.append(b"Access-Control-Allow-Origin", request.GET[b"access_control_allow_origin_header"])

if action == b"store-cookie":
cookie = request.headers.get(b"Cookie", b"NO_COOKIE_HEADER")
request.server.stash.put(token, cookie)

0 comments on commit 01f734f

Please sign in to comment.